Remix.run Logo
michaelt 5 days ago

Even if this did happen, there's a trivial workaround available: Just go into your BIOS and switch 'Secure Boot' off.

Secure Boot is a fine thing if you're a huge corporation and want to harden laptops against untrustworthy employees, or you've got such a huge fleet of servers they go missing despite your physical security controls, or you're making a TiVo style product you want to harden against the device owners. But when the user is the device owner? Doesn't do much.

M95D 5 days ago | parent | next [-]

You won't be able to switch it off for long. See how many phones still have that option! [1]

In the end what matters is always money. Always.

What brings more money? TiVo or buyer-owned device? You think 5% of technically competent potential buyers would make a difference when the 95% illiterate users will just replace the product no questions asked?

It started as a fight against piracy and half-competent users that break their own systems (and the company's systems too, like you said). But slowly the industry sees that there's more money to be made if the same technology can provide a belivable argument in right to repair and planned obsolescence court cases.

[1] https://github.com/melontini/bootloader-unlock-wall-of-shame

II2II 5 days ago | parent [-]

Get back to me when it actually happens, because I've been hearing that line for about 15 years now and it has not happened.

The reality is that PC's address the needs of a fundamentally different market than "TiVo"s or even mobile phones. While most could, and probably should, be using secure boot noone seems to be eager to take away the option to disable it.

fc417fc802 4 days ago | parent | next [-]

You're living under a rock. It's been happening slowing but surely. As device form factor preferences change the new types conveniently don't make it easy to replace to OS. A significant chunk of them lock you out entirely.

Microsoft perennially makes small movements in that direction. Reduced control over the OS and attempts to exert control over the software ecosystem. I assume they're still trying to push consumers towards Windows S mode devices.

Kernel mode anticheat that won't run on systems that aren't attested. Streaming platforms that won't serve up decent quality streams. Even if you don't notice the pot being boiled there are those of us that do.

mjg59 4 days ago | parent | next [-]

Actually no - modern Windows on ARM devices have the same level of secure boot control as x86 ones.

fc417fc802 4 days ago | parent [-]

I never claimed otherwise? "Lock you out entirely" was in reference to a subset of Android, all of Apple, likely many wearables, most IoT devices, and probably others. I tried to outline the broad trend of curtailing user control (not limited to the bootloader) for those who feel like things have been stationary in the long term.

jand 4 days ago | parent | prev [-]

> Even if you don't notice the pot being boiled there are those of us that do.

Tangent: To me that sounds like a reference to the "frog boiling" story. This has been debunked [1], a healthy frog will not remain in a gradually heated pot of water. We need a better analogy for this.

[1] https://en.wikipedia.org/wiki/Boiling_frog

fc417fc802 4 days ago | parent [-]

I'm aware, but it's the understood turn of phrase at present. Similar to "tree shaking" which people started pushing back against at some point and I've no idea why because if it conveys the point then who cares whether or not farmers do it?

Lammy 5 days ago | parent | prev [-]

> Get back to me when it actually happens

Hello from 2013, and here you go!

https://wiki.ubuntu.com/ARM/SurfaceRT#Secure_Boot

https://openrt.gitbook.io/open-surfacert/common/boot-sequenc...

mjg59 4 days ago | parent | next [-]

There was a period where Microsoft was attempting to treat Windows on ARM devices in the same way as Apple treats iPads. That's not how things are now, and the walkback on that doesn't support the argument that the goal is to lock competitors out of the industry.

LeoPanthera 4 days ago | parent | prev [-]

This is only true if you count ARM tablets as "PCs", which most people don't.

Lammy 4 days ago | parent | next [-]

No, UEFI Secure Boot is UEFI Secure Boot. The fact that Microsoft exercised this ability twelve entire years ago on a platform where they thought they could get away with it makes it worse, not better.

tsimionescu 4 days ago | parent [-]

The fact that said device no longer exists, and has virtually no modern successors, and certainly none that matter commercially, tells a different story.

Plus, tablets are not PCs. People are happy with tablets and phones as locked devices. They are not happy with PCs as locked devices, and have not accepted such control, maybe outside the MacOS ecosystem.

fsflover 4 days ago | parent | prev [-]

Why does the type of a general-purpose computing device matters?

LeoPanthera 3 days ago | parent [-]

At some point you have to accept that not all computing devices are general purpose. You can't replace the OS on an iPad either, but there are millions of those in the world, and yet somehow we're discussing a failed tablet from 13 years ago.

II2II 3 days ago | parent | next [-]

If you can load application software onto them, I think it's fair to say they are general purpose computing devices. (I say application software since something like a thermostat may have a general purpose "computer" inside them and that microcontroller may have a reflashable ROM, but few would classify the device as a general purpose computer.)

That said, not all general purpose computing devices are useful for all things. For example: you can, but probably aren't, going to use a mobile phone for a server. On the flip side: you can use a server to do your banking, but most people won't find it as convenient as using their phone for banking (even though banking from a stationary computer is far more convenient than it was in the days when you had to go to a branch). Likewise: mobile devices can be used for content creation, but I doubt that you would find many office workers jumping at the opportunity to use them in the place of a desktop or laptop. On the other hand: someone who is on the road a lot would probably appreciate their portability.

fsflover 3 days ago | parent | prev [-]

https://news.ycombinator.com/item?id=25172883

trelane 5 days ago | parent | prev | next [-]

> you're making a TiVo style product you want to harden against the device owners.

This sentence just makes me so sad

observationist 5 days ago | parent [-]

This should be illegal, and anyone caught doing it fined twice the total cost of amortized ownership per each device owner over the total duration of ownership in addition to completely refunding every customer.

Throw in jail time for decision makers. Lets make markets honest with real incentives.

necovek 5 days ago | parent | next [-]

For a start, stop buying those products: vote with your wallet.

Do you own a phone that's easily rooted? Who else does?

What about your WiFi routers? Internet modem? AirTags? Smart home appliances?

userbinator 4 days ago | parent | next [-]

In the early 2010s the majority of Androids were easily rootable and the ROM-modding community flourished as a result.

esseph 5 days ago | parent | prev [-]

Rooting a phone fails certain security checks that prevent a lot of banking apps from working on your device.

necovek 5 days ago | parent | next [-]

Yes, it's equivalent to running a computer with admin access, and most banking web sites have no issue with that.

Still, my point was not about running a rooted phone with unlocked bootloader (secure boot disabled on a pc equivalent), but whether if this is possible accounts in your purchasing decision.

tsimionescu 4 days ago | parent [-]

Before we had secure phones, we used to get hardware gadgets from banks in order to secure access. Now that phones are secure enough, the phones act as the root of trust (and, unfortunately, SMS does as well...).

necovek 4 days ago | parent [-]

Yes, and phones are full of vulnerabilities because vendors provide security updates only for 2-5 years (high end being rare), thus making this a moot point.

charcircuit 4 days ago | parent [-]

The security measures do not need to be perfect. As long as fraud remains at a reasonable level it should be fine.

necovek 4 days ago | parent [-]

Agreed.

Full disk encryption on a device you have full control of is sufficient.

Containerization helps if you install untrusted apps.

Not having root helps if you install untrusted apps (either vulnerabilities/exploitable or malicious) as root.

esseph 4 days ago | parent [-]

Containers are not security.

Don't trust containers to have the same level of isolation as a VM.

charcircuit 3 days ago | parent [-]

Containers are for security, but they rely on the kernel+ being secure. VMs rely on the hypervisor+ being secure.

esseph 2 days ago | parent [-]

https://news.ycombinator.com/item?id=26076629

fsflover 4 days ago | parent | prev [-]

How about switching your bank if it forces you to give away your freedom for no security benefits?

esseph 4 days ago | parent [-]

Switch to the other bank with the same system? They're all like that.

fsflover a day ago | parent [-]

If all banks are like that in your country, you should complain to the legislators.

Terr_ 5 days ago | parent | prev | next [-]

And/or abolish the DMCA "anti-circumvention" laws, which makes it a crime to pick (digital) locks that you own, or discuss how one might do so.

It's still a problem if manufacturers force ExploitationOS on the device I bought, but it's not-as-bad when everyone can collaborate to disable the exploitation-parts.

https://www.eff.org/issues/dmca

immibis 5 days ago | parent [-]

Sometimes, people even break the law.

trelane 4 days ago | parent | prev | next [-]

Why? There is a perfectly cromulent license, sitting right there https://www.gnu.org/licenses/gpl-3.0.en.html

It was even explicitly designed to prevent "tivoization." https://www.gnu.org/philosophy/tivoization.en.html

One just has to use it to prevent their software from being locked away from the end user

jon-wood 4 days ago | parent | prev [-]

This isn't just about hardening devices against the owner, some devices by the nature of what they're doing have to go in places where their physical security can't be guaranteed, secure boot means that we can put those devices there and not worry about some kid with a USB stick coming by and either wholesale replacing the operating system with something else or injecting a botnet client into the running system.

supportengineer 5 days ago | parent | prev | next [-]

I'm surprised more huge corporations don't move towards a "Chromebook only" by default. Now you don't have to manage anything. We're all doing our work in browsers anyway.

spydum 5 days ago | parent | next [-]

There are quite a few who have. Ive worked in a google workspace enabled company on a chromeos device for like that last 6? Years. It works 95% of the things, but that last 5% can be frustrating: especially when it involves interoperability with a customers system. Now multiply that by 40000 employees.. that's a lot of help desk tickets.

citizenpaul 5 days ago | parent | prev | next [-]

If you are issued a chromebook to me it signal that they consider you a replaceable cog.

Its one of my interview questions these days. What device will I be issued?

If its a chromebook I know that no matter what they say they don't really care about the postion.

jon-wood 4 days ago | parent [-]

What are you talking about? Because the software you'll be expected to use for your job can run on a Chromebook you're considered a replaceable cog? All that means is that to do the job you're being employed for the company thinks you can do it with a web browser and whatever software will run on a Chromebook, its no different to being issued a centrally managed Windows device.

citizenpaul 4 days ago | parent [-]

Chromebooks can be had dirt cheap and for the most part are not customizable in any way. Laptops not so much. Most of the world is not SV or google. They don't put thought into the hardware you use other than is it the cheapest we can get for this persons position.

On the other had I've seen execs/directors that barely turn on their PC get $10k monster laptops because they are considered important. While staff get recycled garbage equipment or a $1000 max per person equipment budget.

crazygringo 5 days ago | parent | prev | next [-]

It's becoming increasingly popular, albeit slowly. The main barriers are 1) it has to be a corporation that uses Google Workspace rather than MS Office, and 2) there can't be any legacy .exe's that are still required, or else you need to figure out how to support those over some kind of remote desktop to a virtual Windows installation.

bongodongobob 5 days ago | parent | prev | next [-]

Why on earth do you think Chromebooks wouldn't need to be managed?

keyringlight 5 days ago | parent | prev [-]

I think at some point there will gradually be a line that divides consumer type devices and Workstation with a capital W type devices. If nothing else it'll encourage the PC market to really decide for each use-case how much they value having a huge range of laptop or pre-built configurations or being able to assemble from parts. There's a lot of momentum in the PC mindset, but I also think a lot of people would be satisfied with less 'personal' so long as they were able to identify what they need and match it to capabilities of a model. 20 years ago the idea of a phone/table as the personal computer for most people and not a PC/laptop would be silly, yet here we are

immibis 5 days ago | parent [-]

Is there not one already? Having a laptop or desktop puts you firmly in workstation category; the consumer type devices are smartphones (and they make up about 90% of all devices so we should probably stop treating mobile web pages as an afterthought).

mschuster91 5 days ago | parent | prev | next [-]

> But when the user is the device owner? Doesn't do much.

A decent Secure Boot implementation together with a BIOS/EFI password at least makes the life of US CBP or similar thugs wanting to use my devices against me much more difficult.

And no, that's not an imaginary threat, certainly not under this administration which has come under fire multiple times for first detaining and then deporting random tourists.

swagmoney1606 4 days ago | parent | prev | next [-]

You can't play many videogames if you do this, as anticheat won't let the game run unless secure boot is turned on

a96 4 days ago | parent [-]

For values of many being less than one in a million. Yes, the few that do are somewhat popular competitive ones, but they are very very rare in the sea of games that exist.

xg15 4 days ago | parent | prev | next [-]

Even if you can, there might be dark patterns to discourage you, such as showing a "boot screen of shame" if its turned off.

tux3 5 days ago | parent | prev | next [-]

Go in the BIOS and switch it off?

Certainly. Just one problem: Modern consumer BIOS interfaces are graphical and your GPU is off.

ThePowerOfFuet 5 days ago | parent [-]

That's not how it works; Secure Boot kicks in once EFI hands over control.

mjg59 5 days ago | parent | next [-]

The driver that initialises your plug-in GPU is shipped in flash on the card, is signed by Microsoft, and won't run unless that signature validates.

ThePowerOfFuet 3 days ago | parent | next [-]

I am reticent to argue with someone of your reputation, but AFAIK UEFI can initialize a basic framebuffer (and write to it) in a standardized manner without needing any ROM on the card.

https://wiki.osdev.org/GOP

mjg59 3 days ago | parent [-]

The GOP driver is provided by the card, and then exposes a standardised interface to the firmware.

tsimionescu 4 days ago | parent | prev [-]

Doesn't that happen only after UEFI starts the boot process, and only if Secure Boot is enabled?

mjg59 4 days ago | parent [-]

I don't understand what "UEFI starts the boot process" means? The firmware is what initialises the hardware. If the code needed to initialise your GPU doesn't have a trusted signature then it won't be executed, and you won't have any working graphics, so you won't have a UI to let you disable secure boot. If secure boot isn't enabled in the first place then yes this isn't a problem.

tux3 4 days ago | parent | prev [-]

The GPU is initialized earlier, so that the screen turns on. The GPU driver can access main memory through the bus.

If you let arbitrary code run before you start checking, you don't have a secure boot chain.

tpoacher 5 days ago | parent | prev [-]

Bitlocker